[isapros] Re: How to on ISA 2006
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Sat, 23 Sep 2006 10:31:43 -0700
Ah- got it... The admin questions were more of a curiosity than anything
else...
t
On 9/22/06 11:51 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh
to all:
> Yes, that is what I was looking for. It will be more work for the client to
> setup initially, (the calling of the process as runas a specific process user)
> but that will settle the security concerns.
>
> As to the 3 questions:
> 1) I asked that and the client stated the spec sheets are never updated since
> the actual PDF is an image of the original spec sheet created by the part
> manufacture. The 3rd party master data store is in essence a spec sheet
> clearing house where they go out and find all these data sheets and then index
> them with unique ID numbers and create the PDF and then publish it.
> 2) When ever a PDF is needed, it is checked locally and if not there then it
> is retrieved from the 3rd party and from that point on it is stored locally.
> 3) We are talking millions of PDFs here and more are always found, processed
> and added to the index. The initial storage space for this one feature is
> 500GB with the potential growth in 3 years to reach 1TB. Even using double
> sided DVDs would be out of the question.
>
>
> John T
> eServices For You
>
> "Seek, and ye shall find!"
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Friday, September 22, 2006 10:01 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: How to on ISA 2006
>
> It¹s John though, so let¹s give this one a go...
>
> We¹ve got an internal server that needs to download content on demand and
> write it to a shared folder for internal use. Only this ³process² should have
> write access to the share (everyone else is read only), and only the PDF¹s
> from the trusted host should be written.
>
> There are administrative questions I have in general that don¹t speak to
> solving the problem, but I¹ve got to ask them:
> 1. what happens if a PDF gets updated by the main server? How will the ³new²
> content be downloaded?
> 2. why store the content locally in the first place when the client can dl it
> right from the source?
> 3. Why not just get a DVD of the PDF¹s from the source?
>
> [So, let¹s ignore those for now..]
>
> Jim skipped over some steps in his answer, but yes, ISA can¹t determine the
> original source of a document that someone may want to upload to a share once
> they¹ve got it on the local host. But we may be able to combine some
> mechanisms to arrive at a solution.
>
> Obviously, the main threat is that the current config allows IIS¹ anonymous
> access user to write to a shared directory. An attacker could leverage this
> to upload malicious content to the server and own assets. So, the ³download
> process² should be separated from the ³anonymous user² context.
>
> Set up two users: one for the IIS anonymous user, and one for the download
> process. The IIS user has READ rights only to the directory and explicit deny
> WRITE rights. The download process has WRITE only rights to the directory.
> Both users explicitly have DENY EXECUTE rights.
>
> Client user requests PDF that does not exist. IIS user calls to RUNAS job
> under creds of ³process² job, passing it the URL for the fie. The process user
> calls for a download of the PDF. From an ISA standpoint, there is an access
> rule that allows the ³process² user to download PDF content from only the
> internet host system, followed by a DENY ALL rule for that user to cover
> anything else. The process writes the file to the shared directory. The IIS
> user can then pass the file to the client user with READ rights.
>
> This way, the IIS user can only READ, and the ³process² user can only WRITE,
> and neither can EXECUTE. ISA can limit what the ³process² user can download
> and from where, and you don¹t have to worry about exploits against the IIS
> user. Even if the IIS user is compromised and the ³process² user¹s creds
> exposed, the attacker could only download PDF¹s from the approved host.
> Further, you can use Group Policy to explicitly deny network access to the
> rest of the network for the ³process² user as you will know that all of that
> user¹s access is local to the IIS box, and this gives you added security.
> Same for the IIS user.
>
> Is this along the lines of the solution you were looking for?
>
> t
>
>
>
>
> On 9/21/06 9:18 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> There is no way for ISA to determine the original source of content (regardles
> of file type) delivered via an HTTP stream. A file JoeBobAlooba sends you a
> file from his desktop looks exactly the same as one he pulled it from a remote
> share. Unless the server / client applications define it in some way, there
> is no such context as "file properties" or "originator" in HTTP other than a
> "referer" header and this only erfers to the site that sent JoeBobAlooba to
> your site.
> Even then, there is no way to define "block all except" in HTTP signatures -
> it's "block this" only.
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists)
> Sent: Thu 9/21/2006 6:18 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: How to on ISA 2006
>
> ASP. Website is on an internal server. ISA is ISA only.
>
>
> John T
> eServices For You
>
> "Seek, and ye shall find!"
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
> Sent: Thursday, September 21, 2006 4:29 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: How to on ISA 2006
>
> Can you give more information about the process doing the downloading? .NET or
> ASP based? The ISA box is not the same box, right?
>
> t
>
>
> On 9/21/06 1:03 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh to
> all:
> This is a new one for me but I am sure ISA can do this but I need pointers in
> the director of how to.
>
> Internal server is running IIS 6.0 on Windows 2003 Standard server. IIS
> anonymous user is a domain account properly configured.
>
> There will be a function of a sub-site of the company website (forced SSL)
> that will return and display information as a result set for a part search.
> Part of that displayed information will be a web button displayed that if
> there is a PDF document available for specs for that part will either A) open
> the PDF in a new window if the document exists on the data share on the local
> server or B) if the PDF document does not exist on the data share of the local
> server retrieve it from the 3rd party master data store on the Internet and
> add (write) it to the data share of the local server and then display it in a
> new window.
>
> The concern is to ensure that only PDF documents from that 3rd party master
> data store on the Internet can be added (written) to the data share of the
> local server since the anonymous user for the site will have write permission
> for that directory.
>
> What can be done on the ISA server to prevent writing to the data share except
> for PDF documents from that 3rd party master data store?
>
> John T
> eServices For You
>
> "Seek, and ye shall find!"
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
>
Other related posts:
